New EU-Data Protection rules

EU-Data Protection rules: All Companies, but in particular Smaller and Medium-sized Companies (SME) will be threatened with fines in the millions of Euros by new EU-Data Protection rules.

As of 25th May 2018 the EU-Basic Data Protection Regulation will apply and will need to be carefully considered by most companies in the EU. All their data processing needs to be adjusted accordingly.

Which data protection rules will apply in Germany?

The current German Data Protection Act will be largely replaced by corresponding EU-rules. For the EU-regulation to apply it does not need any transformation into national law. Regulations apply directly. However, the national authorities have residual legislative powers to supplement or to determine the EU-rules without being allowed to change them in substance. E.g. any Works Council Agreements in Companies which contain data protection rules have to be adjusted to EU-rules.

EU-Data Protection rules: What will effectively remain and what will change?

Generally, the processing of personal data is prohibited unless it is permitted by EU-rules or relating provisions. The currently valid permissions will, by and large, be upheld. The rules regarding the company ombudsman for data protection will remain largely intact.

The powers of licensed consumer protection organisations (pressure groups) to sue will remain. If data are being used for the purpose of marketing, opinion surveys, using commercial information, profiling, address trading, any licensed consumer organisation will be empowered to sue next to or on behalf of the person affected by such use of data.

Any further processing of data is permitted only if this is in compliance with the original purpose of such data collection or if permitted by the person affected by it. A silent or tacit consent is not sufficient. Nor is any inaction or automatic action of the consumer by ticking certain boxes online etc.

The person affected may at any time revoke its consents, whereby the process of revocation must be just as easy as the consent process.

Any consent or permission must not be combined with any other conditions.

The data processing company has wide ranging duties to disclose any information to the person affected by data processing regarding the legal basis of processing, the duration of data storage and other related issues.

The duty to delete data is extended to e.g. the disclosure of any data transfer to third parties.

The person affected may object to data processing for direct marketing purposes whereby the right to object must be clearly highlighted and separated from any other information.

Any company contracted to process data (Contractor) will have wide ranging duties to document its data processing and will be held liable next to the principal for any illegal data processing.

Particularly risky data processing will require an assessment of its consequences.

Data processing companies will be required to immediately notify the authorities of any irregularities. In practice, a detailed risk management will be required.

Most importantly, the financial penalties will be significantly increased and may reach 4 percent of a company turnover (revenue) for each act of violation. Although any such penalty is subject to the principle of reasonableness and adequacy, a significant increase in fines is to be expected. If a violation recurs the penalties will, in all likelihood, increase significantly.

Which measures should companies concerned with or processing data take?

It is strongly recommended that the senior management deals with the EU-regulation in detail and assess its impact on their company. This particularly applies to any company which store or process personal data of its employees, business partners etc. , such as their names, addresses and professional details of individuals (career details, warnings, notices). This duty of care particularly applies to companies which offer goods and services online (online trading). The ordering process will have to be adjusted to comply with the new EU-regulations. If a company is affected by these new EU-rules, it is advisable to take professional advice.

It is also recommended to review any Works Council Agreements of companies entered into with their employees whether they are still in compliance with EU-rules.

Data processing of EU-residents in countries outside the EU

Data processing of EU-residents in countries outside the EU may need to be reviewed. It seems unclear if and to what extent such outsourcing practices to contractors dealing with personal data outside the EU are still in compliance with the EU-Basic Data Protection Regulation. Apparently, the rights of the consumer towards such contractors may be largely restricted. It is e.g. arguable whether the enforcement of EU-regulation by a consumer will be effectively frustrated by such outsourcing practice.

Case law will have to provide for much needed legal certainty on this issue.